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Micron  Chief  Dies  in  Crash 

Steve  Appleton  Loved  Fast  Jets f  Cars;  Td  Rather  Die  Living  Than  Die  Dying' 


Article 


Stock  Quotes 


Comments  (122) 


BySHARA  TIB  KEN  and  DON  CLARK 


MU  0.00% 


Steven  R.  Appleton,  chairman  and  chief  executive  of  Micron  Technology  Inc. _ 

and  one  of  the  most  prominent  figures  in  the  semiconductor  industry,  died  Friday  when 
the  high-performance  airplane  he  was  piloting  crashed  at  Boise.  Idaho's  airport. 

The  death  of  the  51-year-old  stunned  Micron,  the  well-known  maker  of  memory  chips 
based  in  the  same  city,  and  comes  at  a  time  of  rapid  change  for  the  company  and  its 
industry. 


The  National  Transportation  Safety  Board 
is  investigating  the  accident,  which 
happened  soon  after  Mr.  Appleton  took 
off  alone  in  a  single-engine  Lancair.  The 
plane,  from  a  maker  of  aircraft  kits,  had 
taken  off  and  landed  once  andjAras 
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Tornadoes  Hamper  Boeing  Supplier 

Spirit  Says  Output  Suspended  'At  Least*  Through  Tuesday «  Deliveries  Could  R\ 
of  Week 


Article 
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By  JON  QSTROWER 


WICHITA,  Kan. — A  key  Boeing  Co.  [  BA  -2.51%  ]  supplier  said  it  aims  to  re 
deliveries  by  the  end  of  the  week  after  tornadoes  battered  its  factories  hen 
highlighting  the  fragility  and  resilience  of  the  aerospace  giant's  global  sup| 
it  works  to  sharply  increase  production. 


The  storms  late  Saturday  caused  significant-to-major  damage  to  10  buildi 
flagship  campus  of  Spirit  AeroSystems  lnc.;  which  makes  fuselages  and 
for  Boeing's  hot-selling  737,  777  and  787  Dreamliner  passenger  jets 
said  production — which  normally  runs  seven  days  a  week — would  be  susp| 
least"  through  Tuesday  and  that  it  expects  "near-term  production  disrupti 
including  delivery  impacts"  to  customers. 


Spirit  spokesman  Ken  Evans 
assessments  found  most  of  r 
machinery  and  inventory  intact.  "We 
believe  we  can  use  the  facilities  we've 
got.”  he  said  in  an  interview  here  in 
Wichita,  a  major  manufacturing  hub  for 
the  aerospace  indust 
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production  before  t In e  winter  this  year 
and  expect  that  the  works  to  fully  repair 
the  plant  will  take  at  least  three 
months/'  an  Evonik  spokeswoman  said. 
Several  Evonik  executives  attended  the 
meeting  on  Tuesday. 
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By  JEFF  BENNETT  And  JAN  HROMADKQ 

Production  shortfalls  at  a  single  German  auto-parts  supplier  are  beginni 
through  the  global  auto  business. 


car  makers 


The  explosion  at  a  German  chemicals  plant  two  weeks  ago  which  kil 
two  workers,  has  thrown  the  global  car  industry  into  turmoil  as 
manufacturers  run  short  of  a  vital  component,  prompting  an  emergency 
meeting  in  Detroit 


More  than  200  auto  executives  met  in  a  Detroit  suburb  on  Tuesday  to  evaluate  a 
looming  shortage  of  a  relatively  obscure  resin  essential  to  modern  auto  production. 
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Inventories  of  the  resin  are  being  depleted  a 
Industries  AG  plant  in  Mark  Germany  that 
itself  as  the  only  integrated  maker  of  the  re: 
lines. 
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NEW  DELHI— Much  of  India's  electricity  supply  network  collapsed  Tuesday  in  the 
country's  second  major  outage  in  two  days:  affecting  more  than  680  million  people 
— double  the  population  of  the  U.S.— and  causing  business  losses  estimated  to  run  into 
the  hundreds  of  millions  of  dollars. 


Thousands  of  offices  and  factories  had  to 
switch  to  generators  or  shut  shop,  more 
than  200  trains  were  brought  to  a 
standstill  while  hospitals  had  to  ask 
nurses  to  manually  work  critical 
equipment  such  as  ventilators  as  21 
provinces  experienced  a  near-total 
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Computer  Glitch  Halts  American  Airlines  Flights 

The  Federal  Aviation  Administration  is  holding  all  American  Airlines  flights  at  their  origin 
airports  until  at  least  5  p.m.  Eastern  time  on  Tuesday  while  the  carrier  tries  to  resolve  a 
nationwide  outage  to  its  reservations  system. 
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STATEN  ISLAND  ADVANCE 


Tracking  the  storm 

The  worst  of  the  powerful 
hurricane  is  expected 
Monday  night  into  Tuesday 


The  city  is  in  a  virtual 
lockdown  as  a  storm  of  un¬ 
precedented  character 
slammed  into  the  Ea&t  Coast, 
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Boston  transit  shut  down,  nearly  1  million 
sheltering  in  place  amid  terror  hunt 
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WikipediA 

The  Free  Encyclopedia 


Advanced  persistent  threat 

From  Wikipedia,  the  free  encyclopedia 

Advanced  persistent  threat  (APT)  usually  refers  to  a  group,  such  as  a 
effectively  target  a  specific  entity  The  term  is  commonly  used  to  refer  to 
intelligence  gathering  techniques  to  access  sensitive  information-  but 
Other  recognized  attack  vectors  include  infected  media:  supply  chain 
usually  referred  to  as  an  APT  as  they  rarely  have  the  resources  to  be  both 
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Chinese  Hackers  Hit  U.S.  Media 

Waff  Street  Journal,  New  York  Times  Are  Breached  in  Campaign  That  Stretches  Back 
Several  Years 


By  SIOBHAN  GORMAN,  DEVLIN  BARRETT  and  DANNY  YADRON 

WASHINGTON — Chinese  hackers  believed  to  have  government  links  have  been 
conducting  wide-ranging  electronic  surveillance  of  media  companies  including  The 
Wall  Street  Journal,  apparently  to  spy  on  reporters  covering  China  and  other  issues, 
people  familiar  with  the  incidents  said. 

Journal  publisher  Dow  Jones  &  Co.  said  Thursday  that  the  paper's  computer  systems 
had  been  infiltrated  by  Chinese  hackers,  apparent!™ tn  mnnitnr  ite  rhina  mworano 


New  York  Times  Co.  [  NYT  +0.11%  disclosed  Wedr 
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Ted  | 

More  companies  reporting  cybersecurity 
incidents 


By  Ellen  Nikas  hima  and  Danielle  Douglas,  Published:  March  i 

At  least  19  financial  institutions  have  disclosed  to  investors  in 
computers  were  targets  of  malicious  cyberassaults  last  year,  a 
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sector. 


February  19, 2013, 12:01am 
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Are  the  ongoing  DDoS  attacks  against  U.S.  banks 
just  the  calm  before  the  storm? 

byAvivah  litan  March  14,  2013  |  1  Comment 

That's  a  viable  hypotheses  after  hearing  that  the  attackers  only  used  one  third  of  the  bandwidth 
they  had  staged  for  their  latest  round  of  attacks  against  U.S.  banks  last  Tuesday  Reportedly  on 
Tuesday  the  total  size  of  the  DDoS  attack  was  190  gigabits  at  one  time,  with  the  largest  attack 
against  a  single  bank  at  110  gigabits. 

Interestingly  the  attackers  could  have  easily  done  even  more  damage  but  they  chose  not  to. 
9200  bots  were  identified  as  attack-capable  but  the  total  number  of  bots  actually  involved  in 
sending  the  DDoS  traffic  to  the  banks  numbered  only  about  3200.  The  other  6000  bots  sat  there 
doing  nothing. 
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False  AP  Twitter  Message  Sparks  Stock-Market  Selloff 
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BySHIRA  OVIDE 


The  Associated  Press  said  Tuesday  its  Twitter  account  was  compromised,  resulting 
in  a  false  message  on  the  service  that  explosions  in  the  White  House  had  injured 
President  Barack  Obama.  The  message  briefly  sparked  selloff  on  U.S.  stock  markets. 


C~  'The  Twitter  account  has  been  hacked.11  the  A&said  in  a  statement  Tue si 
tweet  about  an  attack  on  the  White  House  is  false." 


Other  Twitter  accounts  associated  with  Associated  Press  were  quick  to  < 
false  Twitter  message,  which  was  posted  just  after  1  p.m.  Eastern  time, 
afterward,  the  news  organization's  main  Twitter  account  was  suspended 


Software  Engineering  Institute 


Carnegie  Mellon  University 


©  2014  Carnegie  Mellon  University 


21 


cso 


Newsletters  Dashboard 


Research  Centers  White  P17 


C  .Pacemaker  hackjfem  deliver  deadly  830-volt  jolt] 

Pacemakers  and  implantable  cardioverter-defibrillators  could  be  manipulated  for  < 
an  anonymous  assassination 
By  Jeremy  Kirk 
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Patients  Put  at  Risk  By  Computer  Viruses 


By  CHRISTOPHER  WEAVER 

The  Food  and  Drug  Administration  is  warning  makers  of  heart  monitors, 
mammogram  machines  and  myriad  other  medical  devices  that  their  gear  is  at  risk  of 
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Challenges  to  Organizational  Mission 

Operational  mission  of  organizations  is  under  stress  on  a  minute-by- 
minute  basis. 

The  stress  comes  from 

•  pervasive  use  of  technology 

•  globalization 

•  complexity  of  business  processes 

•  operational  complexity 

•  movement  toward  intangible  assets 

•  global  economic  pressures 

•  open  borders 

•  geo-political  pressures 

•  regulatory  and  legal  boundaries 

•  intertwining  of  cyber  and  physical  domains 

•  terrorists  &  professional  hackers 


...and  is  exasperated  by  increased  intertwining  of  cyber  and  physical  domains. 
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Disruptive  Events 


Natural 

or 

Manmade 


Accidental 

or 

Intentional 


Small 

or 

Large 


Information 

Technology 

or 

Not 


Cyber 

or 

Kinetic 


Fire 

Flooding 
IT  failures 
Earthquakes 
Cyber  attacks 
Severe  weather 
Network  failures 
Technology  failures 
Organizational  changes 
Loss  of  service  provider 
Strikes  or  other  labor  actions 
Loss  of  customer  or  trading  partner 
Chemical,  biological,  and  nuclear  hazards 
Unavailability  of  workforce 
Failed  internal  processes 
Supply  chain  disruption 
Employee  kidnappings 
Workplace  violence 
Data  corruption 
Product  failure 
Power  outages 
Civil  unrest 
Terrorism 
Fraud 
Etc. 
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Interruption 
of 
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Processes 
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through  which  operational 
risks  are  realized 


Software  Engineering  Institute 


Carnegie  Mellon  University 


©2014  Carnegie  Mellon  University 


24 


Yesterday  vs.  Today 


Ever-Increasing  Capability  &  Complexity 


Biplane 


Apollo  Lunar  Module  SR-71 


F-35 


OSLOC 


2K  SLOC 


500K  SLOC  9.9M  SLOC 


SLOC  =  Source  Lines  of  Code 
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Yesterday’s  mission  success  would  have 
been... 
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Today  mission  success  is  about ... 


fwl 


l  —  -  J 


Business  process 
complexities 


Application  complexities 


and  more... 
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Yesterday’s  Mission  Protection 


Continuity  of  Operation 
(COOP) 
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Emergency 

Response 


Business 

Continuity 
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IT  Disaster  Recovery 
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Today’s  Mission  Protection 


Continuity  of  Operation 
(COOP) 


Business 

Continuity 


Contingency  Planning 


Cyber  Protection 


/ 

Emergency 

Management 
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Today’s  Business  Environment 


Today’s  Business  Environment  Is  Much  Less  Forgiving 
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Operational  Resilience 


■  L  | 

Operational  Risk 


A  form  of  risk  affecting  day-to- 
day  business  operations 

A  very  broad  risk  category 

•  from  high-frequency  low-impact 
to  low-frequency  high-impact 

Exacerbated  by 

•  actions  of  people 

•  systems  and  technology  failures 

•  failed  internal  processes 

•  external  events 

•  bad  decisions 
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Why  do  operational  risks  matter? 

Trust  and  confidence  of  employees  and  customers 
Reputation  and  image 

Regulatory  compliance,  fines,  and  legal  penalties 

Customer  retention  and  growth 

Life,  safety,  and  health  of  customers  and  employees 

Productivity  and  profitability 

Organizational  survival 


...  because  they  have  explicit  and  direct  IMPACT 
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re 


lence  noun 


power  or  ability  to  return  to  the  original  form, 
position,  etc.  after  being  bent,  compressed, 
or  stretched 


ability  of  an  ecosystem  to  return  to 
its  original  state  after  being 
disturbed 


ability  to  recover  readily  from  illness, 
depression,  adversity,  or  the  like 


capability  of  a  strained  body  to 
recover  its  size  and  shape  after 
deformation 


physical  property  of  a 
material  that  can  return  to  its 
original  shape  or  position 
after  deformation  that  does 
not  exceed  its  elastic  limit 


ability  to  recover  from 
or  adjust  easily  to 
misfortune  or  change 


ability  to  provide  and 
maintain  an  acceptable 
level  of  service  in  the  face 
of  faults  and  challenges  to 
normal  operation 
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Operational  Resilience 


The  emergent  property  of  an  entity 


•  that  can  continue  to  carry  out  its 
mission  in  the  presence  of 
operational  stress  and  disruption 
that  does  not  exceed  its  limit 


•  to  meet  its  mission  under  times  of 
disruption  or  stress  and  return  to 
normalcy  when  the  disruption  or 
stress  is  eliminated 
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Operational  Resilience 


The  emergent  property  of  a 

•  that  can  continue  to  carry  out  its 
mission  in  the  presence  of 
operational  stress  and  disruption 
that  does  not  exceed  its  limit 


•  to  meet  its  mission  under  times  of 
disruption  or  stress  and  return  to 
normalcy  when  the  disruption  or 
stress  is  eliminated 


Organization 

Nation 

Armed  Forces 

Critical  Infrastructure 

System 

Network 

Supply  Chain 

Community 

An  Ecosystem 

Cyberspace 
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An  Analogy:  Health 


Is  there  a  place  that  you  can 
purchase  health? 


Is  there  a  place  where  health  is 
manufactured? 


How  do  you  become  healthy? 


Health  &  Resilience:  They  are  both  emergent  properties. 
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Operational  Resilience  &  Mission  Success 


To  be  operationally  resilient, 
cyber-  and/or  kinetic-enabled 
missions  must  address 
operational  risk  on  a  number 
of  “planes.” 


Operational  Efforts  Must  Consider  and  Enable  Such 

Multidimensionality 
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Organizational  Mission  -  Revisited 


Services  and  Products 


Outputs  of  an  organization 

can  be  internally  or  externally  focused. 

Collectively  they  enable  an  organization’s  mission. 
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Example:  U.S.  Postal  Service 


Mission  of 
USPS 
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Productive  Activities  or  Business  Processes 
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^  Productive  ^ 
Activity  or 
Business 
Process 

V  c  J 


^  Productive  ^ 
Activity  or 
Business 
Process 

D  ) 


Organization 

Mission 


AAAA 


Activities  that  the  organization  (and/or  its  suppliers)  perform  to 
ensure  that  services  and  products  are  generated 

A  service  or  product  is  made  up  of  one  or  more  business  processes. 
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UNITEDSTATES 
POSTAL  SERVICE, 


Example:  U.S.  Postal  Service 
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Assets 


Something  of  value  to  the  organization 

Asset  value  relates  to  the  importance  of  the  asset  in  meeting  the 
service  mission. 
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Asset  Types  of  Importance  to  Operational 
Resilience 
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Asset  Types 


Something  of  value  to  the  organization 

Asset  value  relates  to  the  importance  of  the  asset  in  meeting  the 
service  mission. 
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UNITEDSTATES 
POSTAL  SERVICE, 


Example:  U.S.  Postal  Service 
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/people  Assets 

/info.  Assets  ^Z 

/lech.  Assets  ^Z 

/Facility  Assets  ^Z 

•  574,000  employees 

•  National  address  database 

•  APC  kiosks 

•  30,000+  facilities 

•  Mail  carriers 

•  National  zip  code  database 

•  AFCS/OCR 

•  200,000+  vehicles 

•  Postal  inspectors 

•  Customer  Pll 

•  APPS  machines 

•  HQ  building 

•  Postmasters 

•  Employee  Pll 

•  AFSM,  APBS,  UFSM,  PARS 

•  Raleigh  data  center 

•  Truck  drivers 

•  Data  associated  with  each 

•  Computers 

•  Eagan  data  center 

•  Mechanics 

piece  of  mail 

•  Servers 

• P&DCs 

•  Software  developers 

•  Information  processed  by 

•  Laptops 

•  70,000+  stores,  banks, 

•  Network  engineers 

USPS.com 
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•  Postmaster  general 

•  Etc. 
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Service  or  Product 


Operational  Resilience  Starts  at  Asset  Level 
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Operational  Resilience  Starts  at  Asset  Level 


Software  Engineering  Institute 


Carnegie  Mellon  University 


©2014  Carnegie  Mellon  University 


50 


Analogy  -  Protection  and  Sustainment 
Strategies 


Protection  Activities 

•  Translate  into  activities 
designed  to  keep  assets  from 
exposure  to  disruption 


•  Example:  “security”  activities, 
but  may  also  be  embedded  in 
IT  operations  activities 


Sustainability  Activities 

•  Translate  into  activities 
designed  to  keep  assets 
productive  during  adversity 

•  Example:  “business 
continuity”  activities 


♦ 


Software  Engineering  Institute 


Carnegie  Mellon  University 


©2014  Carnegie  Mellon  University 


51 


Service  or  Product 
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Organizational  Context  for  Resilience 
Activities 
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AAAA 


This  is  where 
operational 
resilience 
management, 
protection,  and 
sustainment  begin. 
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CERT  Resilience  Management  Model 
(CERT-RMM) 


Framework  for  managing  and 
improving  operational  resilience 


http://www.cert.org/resilience/ 


“...an  extensive  super¬ 
set  of  the  things  an 
organization  could  do  to 
be  more  resilient.  ” 


CERT  Resilience 
Management  Model 


A  Maturity 
Model  for 
Managing 
Operational 
Resilience 


Richard  A.  Caralli 
Julia  H.  Allen 


David  W.  White 


— CERT-RMM  adopter 
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Desired  Integrated  Approach 


Cyber¬ 

security 


Disaster 

Recovery, 
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Pull  for  Integrated  Cyber  Resilience 


Research  on  new  approaches  to  achieving  security  and  resiliency  In  Information  and  communica 


tions  infrastructures  is  insufficient.  The  government  needs  to  Increase  in  vestment  in  research  that 
will  help  address  cybersecurity  vulnerabilities  while  also  meeting  our  economic  needs  and  national 
security  requirements. 


CYBERSPACE 
POLICY  REVIEW 


Q  I  ^ 
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A  Sampling  of  CERT-RMM 


CERT  Resilience 
Management  Model 


A  Maturity 
Model  for 

Managing 

Operational 

Resilience 


Richard  A.  Caralli 
Julia  H.  Alk-n 
David  W*  White 
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Department  of 
Homeland  Security 


Homeland 

Security 


Cyber  Resilience  Review 


o  x  Ci  a 


-3 - 3 - &- 


The  Cyber  Security'  Evaluation  Program  [CSEP). 
within  the  Department  of  Homeland  Security's  [DHS) 
National  Cyber  Security  Division  [NCSD],  conducts  a 
no-cost  voluntary  Cyber  Resilience  Review  [CRR]  to 
evaluate  and  enhance  cyber  security  capacities  and 
capabilities  within  all  18  Critical  Infrastructure  and 
Key  Resources  [CIKR)  Sectors,  as  well  as  State,  Local 
Tribal,  and  Territorial  [SLTT)  governments.  The  CRR 
seeks  to  understand  cyber  security  management  of 
services  [and  associated  assets]  critical  for  an 
organization's  mission  success  by  focusing  on 
protection  and  sustainment  practices  within  ten  key 
domains  that  contribute  to  the  overall  cyber 
resilience  of  an  organization. 

Overview 


The  CRR  is  based  on  the  CERT  Resilience 
Management  Model  [CERT-RMM]  developed  by 
Carnegie  Mellon  University's  Software  Engineering 
Institute  [ www.c ert,o r  g  /  res  il  i  e nee / rm m, htnil] .  The 
goal  of  the  CRR  is  to  develop  an  understanding  of  an 
organization's  operational  resilience  and  ability  to 
manage  cyber  risk  to  its  critical  services  and  assets 
during  normal  operations  and  during  times  of 
operational  stress  and  crises. 

The  CRR  seeks  to  elicit  the  current  state  of  cyber 
security  management  practices  from  key  cyber 
security  personnel— Chief  Information  Officers.  Chief 
Information  Security  Officers,  and  those  responsible 
for  management  of  IT  Security,  IT  Operations,  and 
Business  Continuity. 

The  CRR  results  in  a  report  that  summarizes 
observed  strengths  and  weaknesses  in  each  domain 
and  provides  options  for  consideration  containing 
general  guidance  or  activities  aimed  at  improving  the 
cyber  security  posture  and  preparedness  of  an 
organization. 


CRR  Domains  &  Asset  Types 


The  CRR  focuses  on  the  following  ten  domains: 

1.  Asset  Management 

2.  Configuration  and  Change  M  anagement 

3.  Risk  Management 

4.  Controls  Management 

5.  Vulnerability  Management 

6.  Incident  Management 

7.  Service  Continuity  Management 

B.  External  Dependencies  Management 

9.  Training  and  Awareness 

10.  Situational  Awareness 

The  CRR  addresses  the  following  four  asset  types? 

1.  People 

2.  Information 

3.  Technology 

4.  Facilities 


What  to  Expect 

■  The  CRR  is  a  one-day,  on-site  facilitation  and 
interview  of  key  cyber  security  personnel. 

*  The  participants  will  receive  a  draft  report  within 
45  calendar  days  to  review  and  provide  feedback 
report  results.  DHS  will  subsequently  issue  a  final 
CRR  Report. 

*  CRR  results  are  afforded  protections  under  the 
DHS  Protected  Critical  Infrastructure  Information 
fPCII]  Program  [www.dh5.ggv/FCD] — tlie  results 
are  for  organization  use  and  DHS  does  not  share 
results. 

Contact  Information  for  CRR-related  Inquiries 

Please  address  inquiries  regarding  the  CRR  to: 

CSE^hq.dhsgov  [Cyber  Security'  Evaluations). 


About  DHS  and  NCSD 

DHS  is  responsible  for  safeguarding  dut  Nation’s  critical 
infrastructure  from  physical  and  cyber  threats  that  ran  affect 
national  security,  public  safely,  and  economic  prosperity. 
NCSD  leads  DHS’s  efforts  to  secure  cyberspace  and  cyber 
infrastructure,  For  additional  information,  please  visit 
www.dlt5.Eqv/gbtr. 
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ES-C2M2 


ELECTRICITY  SUBSECTOR 

CYBERSECURITY  CAPABILITY  MATURITY  MODEL  (ES-C2M2) 


Version  1.0 

31  May  2012 
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U.S.  Postal  Inspection  Service  (USPIS) 

The  law  enforcement  arm  of  the  U.S.  Postal  Service 

The  USPIS  has  used  CERT-RMM  to  address  such  operational 
risks  as 

•  export  screening 

•  new  product  security 

•  measuring  and  monitoring  risks  associated 
with  fraud 

•  physical  security  and  aviation  screening  for 
international  mail 

•  improved  processes  for  investigative  response 
to  network  security  incidents 
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HOME  OUR  WORK  OUR  SOLUTIONS  PRODUCTS  &  SERVICES  LIBRARY  NEW: 


Lockheed  Martin 


Search  the  Library  Browse  by  Topic  Browse  by  Type 


Application  of  the  CERT®  Resilience  Management 
Model  at  Lockheed  Martin 


Lockheed  Martin  Corporation  has  collaborated  with  the 
Software  Engineering  Institute  on  the  application  of  the 


LOCKHEED  M  A  R  T  I  N  / 


CERT  Resilience  Management  Model  (CERT-RMM)  to 


improve  Lockheed  Martin's  corporate-wide  business 
continuity,  IT  disaster  recovery,  crisis  management,  and 
pandemic  planning  activities.  Two  CERT-RMM  Class  C 
appraisals  have  been  conducted  as  part  of  the  collaboration. 
This  presentation  will  proride  an  overview  of  the  project, 
information  about  the  appraisals,  and  a  summary'  of  the  use 
of  the  appraisal  results. 
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In  Closing 


A 


Hurricane  Sandy  Surprised  Us  in  Many  Ways 
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Most  Talked-About  Subject  Afterward... 


Cornell  University 


CHRONICLE 

March  4.  2013 

Arctic  ice  loss^jhplified  Superstorm  Sandy  violence 


By  Blaine  Friedlander 

If  you  believe  that  last 
October’s  Superstorm  Sandy 
was  a  freak  of  nature  -  the 
confluence  of  unusual 
meteorological,  atmospheric 
and  celestial  events  -  think 
again. 

Cornell  and  Rutgers 
researchers  report  in  the 


Eljc  jNcUi  llork  times 

Tuesday  ?  March  19, 2013 


Environment 


WORLD  U.S.  N.Y.  /  REGION  BUSINESS  TECHNOLOGY  SCIENCE  HEALTH  Sg 

A  Blog  About  Energy  and  the  Environment 

SCIENCE  0 cto b  er  30  20 1 2,  5 :46  p  m  ^  1 7B  Co mme nts 

Dfl^Global  Warming^>ntribute  to 
HuriTdUlo  Sandy 'i>  Devastation? 

By  JUSTIN  GILLIS 


Bloomberg  Businessweek 

Politics  &  Policy 


Global 

Companies  & 

Pol  itics  A  Pol  icy  Techno  logy 

Markets  & 

Innovation  & 

Lifer' 

Economics 

Industries 

Finance 

Design 

_ J 

By  Paul  M.  Barrett  on  November  01, 2D  12  ana  12S2  Comments 


Yes,  yes,  if  s  unsophisticated  to  blame  any  given  storm  on  " 
climate  change.  Men  and  women  in  white  lab  coats  tell 
us— and  they're  right— that  many  factors  contribute  to  each 
severe  weather  episode.  Climate  deniers  exploit  scientific  ’ 

tyj 


CLike 


How  Do^Wlimate  Change JM^ke  Superstorms  Like  Sandy  More 
Destructive?" 

By  Joe  Romm  on  Oct  31,  2012  at  5:03  pm 


Hurricane  Sandv  Damage  Partly 
Caused  BOimate  Change] 
Scientists  Say 

Posted:  11/06/2012  10:06  am  ESI  Updated  11/06/20 12  10:06  amEST 
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Most  Talked-About  Subject  Afterward... 


Cornell  University 


Bloomberg  Businessweek 

Politics  &  Policy 


CHRONICLEONLINE 

March  4.  2013 

Arctic  ice  loss^jhplified  Superstorm  S 


By  Blaine  Friedlander 

If  you  believe  that  last 
October’s  Superstorm  Sandy 
was  a  freak  of  nature  -  the 
confluence  of  unusual 
meteorological,  atmospheric 
and  celestial  events  -  think 
again. 


Sljc  jNcUi  llork  times 

Tuesday,  March  19, 2013 
WORLD  U.S.  N.Y. /REGION  BUSINESS  TECHNOLOGY  SCIENCE  HE 

A  Blog  About  Energy  and  the  Environment 

SCIENCE  j  October  30  2012,  5:45  pm  1  ^  ITS  Comments 

DfljTGlobal  Warming^J>ntribute  to 
HimiecUiy  Sandy 'i>  Devastation? 

By  JUSTIN  GILLIS 


Hurricane  Sandv  Damage  Partly 
Caused  BOimate  Change] 
Scientists  Say 

Posted :  1 1  /06/20 12  10 :06  a  m  ESI  U  pd  ated :  1 1  /0&20 1 2  1 0:06  a  m  EST 
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A  better  question  to  ask:  How  has  the 
national  risk  environment  changed? 


Movement  from  traditional  wireline 
telephony  to  cell  phones  and 
broadband  cable  telephony 


Cutting  The  Lifeline 

The  percentage  of  cellphone- 
only  households  is  growing 


40?i 


July  -Dec.  2011: 34% 


Source:  CDC/NtHS  surveys  of  136r223 
households  conducted  Jan.  2008- Dec  2011; 
9 5?*  confidence  interval 
The  Wall  Street  Journal 


“...As  of  2003,  153 
million  Americans  lived 
in  coastal  counties  -  an 
increase  of  33  million 
since  1980  -  and  3.7 
million  lived  within  a  few 
feet  of  high  tide...” 

— Bryan  Walsh,  Time  Magazine, 
November  12,2012 


Dependency  on  large 
number  of  mobile 
devices  needing 
frequent  recharging 


...  and 
there  are 
many  more. 


Software  Engineering  Institute 


Carnegie  Mellon  University 


©2014  Carnegie  Mellon  University 


68 


Expansion  of  National  Risk  Environment 


•  Globalization 
•  Operational  complexity 

•  Pervasive  use  of  technology 

•  Intertwining  of  cyber  and  physical  domains 
Increased  role  of  cybersecurity  in  securing  physical  assets 

•  Movement  toward  intangible  assets 

•  Global  economic  pressures 
•Regulatory  and  legal  boundaries 

•  Geo-political  pressures 


Successful  management  of  operational  risk  may  require  a 
(significant)  shift  in  thinking  and  approach. 


Q  I  ^ 
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Protecting  the  enterprise 
remains  a  complex  and 
multifaceted  challenge. 


Disruptive  events,  through 
which  risks  are  realized,  will 
continue  to  surprise  us. 


Traditional  tools,  techniques, 
and  methods  may  not  work  as 
well  in  this  environment. 

How  should  an  enterprise 
deal  with  (and  plan  for)  such 
surprises? 

How  should  an  enterprise 
operate  in  such  an 
environment? 
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Promising  Approaches 


Next  generation  of  integrated 
cyber-resilience  management 
frameworks? 


MODELS 


Resilience  Engineering  - 
A  new  engineering 
discipline? 


EDUCATION 


RISK  MGMT 


Re-shaping  (not 
fighting  with)  the 
risk  landscape? 


Should  organizations  be  legally 
allowed  to  fight  back  when 
under  cyber  attack?  _ 


POLICY 


Mechanisms  to  compose 
resilient  systems  from 
brittle  components? 


TECHNOLOGY 


Software  Engineering  Institute 


Carnegie  Mellon  University 


©2014  Carnegie  Mellon  University 


71 


“The  oak  fought  the  wind  and  was  broken, 
the  willow  bent  when  it  must  and  survived.” 

Robert  Jordan,  The  Fires  of  Heaven 


Thank  you  for  your  attention... 
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